Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3772
Views
5
Helpful
7
Replies

FDM and NPS, test works but can't login

Go to solution
richard.priest
Level 1
Level 1

‎05-18-2020 05:01 AM - edited ‎05-18-2020 05:13 AM

Hi,

 

just trying to setup external RADIUS authentication to our Firepower 2110 boxes, we don't have FMC so it's the on box FDM for config.

 

I've created a security group in AD and the specific policies in the NPS, with the attribute fdm.userrole.authority.admin added to the cisco-av-pair attribute.

 

When I test authentication I get a success notification

 

FDM_NPS_1.png

However when attempting to login I am uncusessful

FDM_NPS_2.png

Can anyone advise where I may have gone wrong in setting this up?

 

 

 

EDIT:

 

Checking the NPS logs I can see it's approved the access request

 

FDM_NPS_3.png

 

Many thanks

 

Rich

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to richard.priest

‎05-18-2020 07:42 AM

You're welcome. The RADIUS test is just basically checking shared secret and if the device is valid on the RADIUS server.

I agree it would be useful if it actually processed the full authorization request and checked the result.

Seeing the actual packets often helps us cut through what we think is happening vs. what's actually going on. Back when I was learning ISE seeing the actual attributes and their values was my "ah ha" moment for grokking the computer science term "A-V pair".

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-18-2020 06:46 AM

Did you setup NPS to return the Cisco A-V pair "fdm.userrole.authority.admin"? (or .ro or .rw for read-only and read-write users) That's required to make it work. A simple "Access-Accept" won't do it.

I just tested and setup using ISE in my lab and that last bit was the key.

Reference the online help in your FDM:

https://<your FDM address>/#/help/t_configuring_external_authorization_aaa_for_firepower_device_manager_users.html

FDM User with External AuthenticationFDM User with External Authentication

FDM Authorization Result in ISEFDM Authorization Result in ISE

0 Helpful

Go to solution
richard.priest
Level 1
Level 1
In response to Marvin Rhoads

‎05-18-2020 06:58 AM

Yeah I did,  I don't have ISE unfortunately so am just using windows NPS

 

FDM_NPS_4.png

 

FWIW this is the attribute setting in the NPS policy

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to richard.priest

‎05-18-2020 07:05 AM - edited ‎05-18-2020 07:06 AM

Hmmm, if NPS is returning that value in the Cisco AV pair it should work.

I'd check with a packet capture on the NPS server filtering to the FTD address. RADIUS is plain text so you should be able to confirm the value is being sent back to FDM in the RADIUS reply message.

0 Helpful

Go to solution
richard.priest
Level 1
Level 1
In response to Marvin Rhoads

‎05-18-2020 07:22 AM

that's a great idea!

 

I've actually figured it out / fixed it, but I'm going to wireshark anyway for curiosity/professional interests sake.

 

When I created the NPS policy I added the RADIUS attribute to the network policy rather than the connection policy.

 

I do find it vexing that when testing FDM reported a success even though it wouldn't work mind.

 

For any future google searchers, set it in here:

FDM_NPS_5.png

 

Really appreciate the help!

 

Cheers

 

Rich

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to richard.priest

‎05-18-2020 07:42 AM

You're welcome. The RADIUS test is just basically checking shared secret and if the device is valid on the RADIUS server.

I agree it would be useful if it actually processed the full authorization request and checked the result.

Seeing the actual packets often helps us cut through what we think is happening vs. what's actually going on. Back when I was learning ISE seeing the actual attributes and their values was my "ah ha" moment for grokking the computer science term "A-V pair".

0 Helpful

Go to solution
EminaBrkanic
Level 1
Level 1
In response to richard.priest

‎03-12-2025 08:33 AM

This help me thanks-

Did you manage to authenticate users for ssh connection in same way?

 

0 Helpful

Go to solution
EminaBrkanic
Level 1
Level 1
In response to EminaBrkanic

‎03-13-2025 05:49 AM

I did it. Same logic applies only, for ssh service-type need to be set to administrative.

and don't use "." in username.

cheers

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top